Posted
by
CowboyNeal
on Friday October 21, 2005 @05:58AM
from the where-the-money-is dept.

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

Someone should develop the ultimate rootkit, patent it's code... and then sue the antivirus companies for IP infringement when they include it's code in their latest definition.
"All your oil belong to us."

Actually, the free version of the Hacker Defender [czweb.org] rootkit mentioned in the article is open source. GPL, I'm not sure about, but it still surprised me. It actually makes a lot of sense, because it allows attackers to customize and recompile the rootkit, probably creating a new binary that malware-detectors are unaware of.

There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?

It really comes down to liberty though. If I want to hack my own computer I should be allowed to do so. If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild.

There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

A rootkit isn't a tool to break into a machine; it's a tool to hide your presence once you've already broken into the machine...

'A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?" - by prichardson (603676) on Friday October 21, @06:26AMYou do have a point there... PING is another example as well, & it ships with most OS.

It too, can be used to issue a "ping of death" though iirc, most OS are

"If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild."

This poses an interesting question. If you did develop a worm with a nastey payload and release it on an entire subnet under your control (and ownership) that is firewalled off. Who would be blamed if a cracker broke in to the infected network, became infected themselves and then started infecting a public network either intentionly or not?

This problem of who is guilty also comes up with the use of honeypots, ie if someone breaks into a honeypot system and launches an attack from there who is responsible? The attacker or the person supplying the resources?I agree with your point of view that a blanket "all are responsible" response is not the best course of action, as I've wondered how long it will be before people like the authors of security books get bundled into the category of "they supplied the knowledge to make this attack possible, th

So here's what you do - write a worm and wrap it around a citrix or Windows Term Serv. Then when you have thousands, you can use then with DDOSs.

Seriously though - Golden Hacker Defender. I've never heard of this. It it were seriously a commercial product, I doubt it would be a rootkit, perhaps a "Remote administration tool." I can't goole (verb) where to purchase it.

So here's the thing. I wrote a virus, and now I'm going to sell it. It's a commercial virus. Oops! Not it isn't, it's just me selling a virus.

Hmm it seems to be a new release of something called Hacker Defender. Apparently available here [czweb.org] for the curious. Interesting comment in the box about how the commercial version is not released under the GPL:p

The guy who writes hacker defender offers the source code for free, but offers to customize it to make it invisible to commericial anti-virus software and root kit detection software.

This is a big problem, I do application/infrastructure attack and penentration and have seen/had co-workers see this fairly often in mainly financial and defense clients. This problem definetly exists and is causing some major headaches in the info sec world.

In other news, we learn that script kiddies don't actually write software.

I'd have thought 450 euros (see here [czweb.org], select "Golden Hacker Defender" from combo box) was a bit beyond the price range of your average copy/paste script kiddies, but then I've never met any so I wouldn't know. Either way, it's not clear to me that the site is breaking any laws by selling this software. Any lawyers around?

It's actually an interesting business model, because it mirrors that of other open source businesses. Yeah, maybe you can get a copy of the code itself, but what you really need is the support agreement. When an attacker buys a commercial rootkit from the Hacker Defender folks, they agree to update his or her rootkit to keep it undetectable from malware-scanners for a given amount of time.

If the attacker were to freely distribute the code they got, it would show up on Norton's radar pretty quick, and bec

What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?Or is there a Matrix-esque cabal of midnight hackers out there dressed in trenchcoats and sunglasses who are busy at work undermining the government? I find that hard to believe.

I find it easy to believe that there are foreign governments very interested in this type of thing, but it is difficult to imagine ordinary citizens having both the desire and the wherewithal to perform serious attacks a

If you've been watching the news the last few weeks ex-IRA members have been busted doing forgeries in North Korea, bomb-making in Iraq, and making IED's in Columbia. This is an example of the market for worldwide organised crime skills becoming huge as organisations outsource skillsets, especially nefarious skillsets. It's interesting to note the rise of these types of non-state actors on the world stage and how they are interplaying with governments and corporations. Organised crime is going to become hu

What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

There's a constant struggle to defeat the detection measures, or detect newer, stealthier rootkits. I've played around with seeing how well I can hide something on my own system, never used it in anger but there's an intellectual challenge there. Like chess or go, it's basically the same every time but I can see people constantly finding new pleasure in it.

Hmnn, this article is thin on facts and figures. And like so much "news" coming from the security industry, you're never really sure how much of it is fud and puffery in order to sell new products. Still, I guess things will continue to get worse so long as much of the IT industry plays pass the parcel, a shuffling process that always ends with the hit landing up on the poor old end-user, the person who is usually least qualified to deal with it.

I guess Bruce Schneier is right when he suggests that the way to improve some aspects of security, anyway, is by placing responsibility firmly on outfits like banks and ISPs who'll get smacked mightly hard in the wallet - by law, this time - unless they raise their game. That might put some pressure on OS-makers and their pals to design products that don't also need AV checkers that are dependent on signature libraries and prey to zero-day exploits.

Love the quote from a researcher saying that the alleged sale of rookits means that "there is a criminalisation of the virus world going on." As if it hasn't been criminal till now, just good clean fun ho ho.

"Love the quote from a researcher saying that the alleged sale of rookits means that "

I think what he meant (tho he could have phrased it much better) is that previously virus writers were just sad spotty adolescents with no social skills in their bedroom writing viruses to prove something to themselves or to impress they're equally sad andspotty online "friends". These days a lot of it is paid for by organised crime who have specific targets and specific agendas.

Virus writers go by their own rules. The anti virus business has a reactionary approach. Unless the anti virus engines have the updated signatures they can't stop the virus from spreading.
Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable. By the way things are going and the speed with which new viruses are created, i guess the day is not far when we will need huge databases to store the signatures for the viruses on each machine.

Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable.

No it won't. A default deny policy is simply not practical unless you can afford a lot of extra trouble. If I was developing on such a machine, would I have to get every revision of my code signed?

All that will be harmed is the "freeware" and "open source" software. They will claim that this is a good thing. After all, that software merely serves to undermine the profitability of the "real" software developers.

Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.'

This is what selinux brings to the table. It allows you to specify a policy for your system that will block programs from doing things that they should not do. Of course if most windows systems operated with the least privilege rule most of the viruses out there would be unable to work as they do now. Instead of an arms race between

A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".

That definition is wrong. A rootkit is a kit that helps you getroot access on a system either by buffer overflow of a runningprocess/server or some other method. To prevent a processshowing up in ps all you have to do is put your own version ofthe ps command in place, hardly rocket science.

Root kits will normally includ things such as modded ps and other modified binaries so that the system appears to be running fine, yet has a backdoor and any logging / system monitoring tools will not show any processes or activity.

There is more to a root kit than just a replacement ps, but of course that is a critical element.

No it's not rocket science, but in practice modding system binaries whilst on the outside keeping the system appearing to be running normally is much harder, different library / operating system / architectures to deal with and the fact that you are messing around with core system files.

There is more to a root kit than just a replacement ps, but of course that is a critical element.

Not necessarily. There are rootkits which are based on kernel modules (so that the kernel API are not reporting the process either, just in case the sysadmin brings in a statically compiled ps, or manually digs through/proc).

It's the primitive rootkits that only replace some common utilities such as ps, ls, and netstat. Many of these don't even bother to doctor md5sum or rpm, so they can be trivially detected by an rpm -qa --verify.

The good ones on the other hand do a much more thorough job, and can only be detected by booting from a known-good media (i.e. a Knoppix CD)

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.

I think at this point the burden of proof is on you to come up with a reference. I've personally always heard the term rootkit used in the manner used now by about three people who have replied to you, and as described on three different fairly-definitive websites referenced in this thread.

We can sit here all night posting back and forth "is not," "is too" but I don't think that we'll get any further. If you're so certain on your position please take 30 seconds and find something reasonably definitive to support your position.

Mods - before modding anything else in this thread please take the time to actually look up what a rootkit is...:)

For the record, an exploit is software designed to gain unauthorized access to a system. A rootkit is a set of tools used to maintain such access without the knowledge of the admin of the cracked system. Typically it includes modified ps, login/su/sshd, etc.

The whole idea of a rootkit is to make sure you can get back into the system a week later when the admin has patched the original vulnerability. If you rm the ps command it probably won't take long for the admin to figure out what happened.

The best way to detect a rootkit is via tripwire, run from a boot CD. There really isn't any way of defeating this method of detection, but it is very inconvenient since it requires brining the system offline for scanning. There are tools like rkhunter which search for rootkits on running systems, and in theory these can be defeated by a very clever rootkit.

A very good way to detect malware (in fact any unauthorized changes to system files is to md5sum (or better) all system files (which are preferrably stored on NAS on a local network) regularly by a separate heavily fortified system and send out an alert on differences.A framework for this (mtree, tools for package file checksumming, cron scripts etc.) has been part of the default installation on the *BSDs for ages, but I haven't seen anything like it in the default installation for any Linux distros.Of cour

> I haven't seen anything like it in the default installation for any Linux distros.

You could just tar the rfs or a selection of critical system files, copy to tape, untar and md5sum those files on a non-networked box you keep hanging around for the purpose. For a limited number of key servers this wouldn't be too onerous.

Now md5 hacks exist but a combination of creation date, filesize and md5 would be a fairly good fingerprint - or you could just diff against known good versions for a limited set of

Actually, all of this is exactly what tripwire does. It stores a database of file attributes (hashes, mtimes, etc.).You can also easily run it on a running system.

The problem is that on a running system your executable is subject to the whims of the currently-running kernel, glibc, linker, etc. If the rootkit installed a kernel module, or a modified glibc, or something else, then when you scan ps it could just point you to a saved unmodified copy of ps, and then your scan would miss the changes. When you

thanks for taking the trouble to reply, as the mods say that is very informative. Damn those rootkits. I would suspect that the hardest trick to pull off is a raw dump of the fs but that is not very convient to manipulate.I think the weakest link in most companies are idiot staff (like an ex-boss who brought more viruses into the company via his laptop than a Bombay hooker) and idiot sysadmins. In years of having a computer directly connected to the Internet I only got hit once when I installed a dodgy bina

And this is why I like the idea of binaries being tied hard to the exact processor for which they were compiled, rather than every processor having the same instruction set. It makes it a stackload harder to do stuff like that, when actually enabling the build environment requires physical access to the machine. As long as there exists binary compatibility between your systen and Some Unknown Bad Guy's system, there will be rootkits.

Now that we have seen proof of checksum collisions, I do not doubt that

Are you talking about processor serial numbering, or talking about the difference between an Intel vs Sparc vs AMD vs PowerPC vs whatever? You could further granularize it by using the differences in clock speed, processor ID, etc. Interesting concept. You'd have to rebuild the entire machine to upgrade the CPU(s), though, if you did things either way.

I'm talking about each and every processor having a different instruction set. There would be two modes, selectable in hardware by shorting a pin to ground or not. In "Compatibility Mode" -- aka "Dangerous Mode" -- the instruction set would be known and standardised; thus allowing you to use a standardised toolchain to compile some bootstrap code {a kernel and a minimal userland} for running in Safe Mode. In "Safe Mode", the processor would use its own "personalised" instruction set, which you would ne

It's certianly a good idea, but I question how practical it would be. Most IT departments are so woefully understaffed as it is that maintaining specific builds for specific users (or departments) would quickly become a near-impossible task (not to mention the storage requirements of those images).

In a technology-centric company that is able to build all its software in-house, this would make more sense, but would be adding "another layer" to what is already a significant amount of work.

well it's obvious you've never actually been hit with one other wise you would know what you were talking about. *EXPLOITS* get you root. rootkits allow you to KEEP root. The average rootkit disables forensics programs like lsof, ps, find, locate, w, who, (sometimes) syslogd. They also modify shit like rc.sysinit or inittab.

Don't let the name fool you because thats all it is is a name. Exploits and rootkits are 2 entirely different things. You can get all the exploits you want from packetstormsecurity [packetstormsecurity.nl] but

What you really want to watch out for are kernel level RootKits, as even checking the integrity of programs doesn't help as they aren't altered. The kernel runs a different program when you call the correct one. Evil I tell you!

Rootkits are indeed designed to hide malware from the tools that are designed to show what applications, network connections, etc. are running. The article went on to explain this a bit more clearly, but it may have been a bit subtle. Yes, the purpose of a rootkit is to hide running processes from things like ps, and the windows task manager and such. But, the deal is that many Antivirus products include not only static pattern based detection algorithms that look for malware, but also behavior-based dete

Paid versions are not released under GPL licence.Every customer who buys antidetection service agrees with this licence.Customer is not allowed to spread the product or its parts in neither binary nor source code form.Violating of this licence will issue in loss of any supportand also in impossibility of buying new updates and other products and services.Customer can do

Rootkits are not nessesarily bad. They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing without you being able to find and terminate that process. You have to remember everything has a level of good and can be turned bad in an instant.

It is like a formatting tool, when used properly it deletes what you want but if someone wrote a program to access the formatting tool and run it on a drive that you wanted things on now it has just been turned into something bad.

Which is the principle difference between *nix and windows. Most of the holes in unices have been found over the years. Windows was only exposed to wide area networks in a serious way over the last ten years. The bugs are still being found.

I do know that. I also know that Windows XP and earlier create the main user with administrator rights by default (which is also why many programs need administator rights to work at all, as they haven't been developed with restricted accounds in mind) and before patched it can let viruses in without the user doing anything. Blaster/lovsan anyone?

Rootkits don't just get into a computer magically, they have to exploit a vulnerability in the OS or trick the user. *nix based systems don't let user stupidity do